Unauthenticated compromise in Oracle HTTP Server / WebLogic Server Proxy Plug-in

This repository contains a small exploit package for CVE-2026-21962 targeting Oracle WebLogic Server Proxy Plug-In / Oracle HTTP Server deployments. There are three files: a standalone Python PoC, a Nuclei template, and a README. Because the repository includes a Nuclei template, it can be considered framework-associated; however, the Python file is the main offensive component and the YAML template provides scanner-style verification logic. The Python exploit, CVE-2026-21962.py, is a direct unauthenticated RCE PoC. It accepts a target URL and arbitrary command from the operator, iterates over several likely proxy plug-in base paths, and appends a crafted traversal-like URI ending in /bea_wls_internal/ProxyServlet. It injects a base64-encoded command string prefixed with cmd: into multiple proxy-related HTTP headers: WL-Proxy-Client-IP, Proxy-Client-IP, and X-Forwarded-For. It then sends GET requests and treats HTTP 200, 302, or 500 as likely success conditions, printing up to 1500 bytes of response body as possible command output. This gives the operator arbitrary command execution capability, including simple recon commands or reverse-shell style commands if supplied manually. The Nuclei template, CVE-2026-21962.yaml, is a detection/verification artifact for the same issue. It sends crafted GET requests to three candidate paths using the same header-based payload concept, but uses a whoami command for validation. Matchers look for status codes 200/302/500, non-empty body content, and common usernames or platform strings such as oracle, weblogic, root, or nobody. An extractor attempts to pull a username from the response. This template is suitable for scanning and confirming exposure rather than full interactive exploitation. The README describes the issue as critical and network exploitable, lists affected Oracle HTTP Server and WebLogic Proxy Plug-in versions, and provides high-level impact and mitigation guidance. Overall, the repository’s purpose is to provide both a practical command-execution PoC and a reusable Nuclei-based verification template for exposed vulnerable Oracle proxy plug-in endpoints.

This repository is a standalone Java Swing GUI exploit tool for CVE-2026-21962, described as an unauthenticated Oracle WebLogic/Oracle HTTP Server Proxy Plug-In remote code execution issue. The repository is small and focused: 4 primary code files plus Maven metadata, a Windows launcher, README, and build artifacts. Structure and purpose: - Main.java is the application entry point and launches the Swing GUI. - gui/MainWindow.java implements the operator interface, including multi-target URL input, command input, execution and clear buttons, log display, and output display. It uses a SwingWorker so exploitation runs asynchronously and supports batch processing of multiple targets. - core/Exploit.java contains the main exploit logic. It builds a payload by prepending 'cmd:' to the operator-supplied command, Base64-encoding it, and inserting it into three HTTP headers: WL-Proxy-Client-IP, Proxy-Client-IP, and X-Forwarded-For, each prefixed with '127.0.0.1;'. It then iterates through five candidate proxy-related base paths and appends a special URI '/weblogic/..;/bea_wls_internal/ProxyServlet' to each constructed target URL. For each request it performs a GET and treats HTTP 200, 302, or 500 as potentially successful. If a response body is present, it is displayed as command output, truncated to 1500 characters. - util/HttpClient.java wraps OkHttp and deliberately disables TLS certificate and hostname validation, allowing exploitation against HTTPS targets with invalid or self-signed certificates. It sets 12-second connect/read/write timeouts and disables redirect following. - run.bat launches the compiled classes with explicit local Maven dependency paths on Windows. Exploit capabilities: - Unauthenticated network-based exploitation against operator-supplied HTTP/HTTPS targets. - Arbitrary command injection via crafted proxy-related headers. - Multi-target batch execution from the GUI. - Automatic testing of multiple likely exposed proxy/plugin paths. - Retrieval and display of returned command output from the HTTP response body. - HTTPS support with trust bypass. Notable observations: - This is a real exploit implementation rather than a detector; it accepts arbitrary commands and attempts to execute them remotely. - It is operational but not highly modular or framework-based; payload customization is limited to the command string entered by the user. - The repository includes some incidental artifacts (debug.log and Maven compiler status files) that are not part of the exploit logic but do leak local filesystem paths from the developer environment.

Repository contains a Python proof-of-concept exploit and a Nuclei template for CVE-2026-21962, described as an unauthenticated RCE affecting Oracle HTTP Server / WebLogic Proxy Plug-In. Structure: (1) CVE-2026-21962.py: standalone network exploit that iterates common proxy plug-in base paths (/weblogic/, /wl_proxy/, /bea_wls_internal/, /_proxy/, /proxy/) and sends a GET request to a crafted traversal/bypass URI (/weblogic/..;/bea_wls_internal/ProxyServlet). It injects a base64-encoded payload of the form 'cmd:<command>' into multiple headers (WL-Proxy-Client-IP, Proxy-Client-IP, X-Forwarded-For) and treats HTTP 200/302/500 as likely success, optionally printing response body as potential command output. TLS verification is disabled (verify=False). (2) CVE-2026-21962.yaml: a ProjectDiscovery Nuclei template that sends similar GET requests to three paths and uses base64('cmd:<rand> && whoami') in the same headers; matchers look for status codes 200/302/500 and body content suggestive of command output or WebLogic context. (3) README.md: background, affected versions, and usage examples including reverse shell and PowerShell download/execute stager. Overall purpose: enable remote, unauthenticated command execution against exposed vulnerable proxy plug-in deployments and provide a scanning/verification template for Nuclei.

Repository contains a single Python exploit script (CVE-2026-21962.py) and a short README with usage examples (single target, batch mode, and a reverse-shell command example). Core behavior: the script attempts network-based RCE against Oracle WebLogic by sending an HTTP GET request to a ProxyServlet endpoint using a normalization-bypass style path ("/weblogic/..;/bea_wls_internal/ProxyServlet"). It iterates over several common WebLogic proxy/plugin base paths ("/weblogic/", "/wl_proxy/", "/bea_wls_internal/", "/_proxy/", "/proxy/") to find a reachable vulnerable route. The command is embedded as base64("cmd:<command>") and injected into multiple proxy-related headers (WL-Proxy-Client-IP, Proxy-Client-IP, X-Forwarded-For) in the form "127.0.0.1;{encoded}". Capabilities: arbitrary command execution (operator-provided), optional capture/printing of response body snippets, and threaded batch scanning of many targets via ThreadPoolExecutor. It treats HTTP status codes 200/302/500 as potential success and logs hits with timestamps to an output file (default output.txt). TLS verification is disabled (verify=False) and redirects are not followed (allow_redirects=False).

Repository contains a Python proof-of-concept exploit and a Nuclei template for CVE-2026-21962, described as an unauthenticated RCE in the Oracle WebLogic Server Proxy Plug-In / Oracle HTTP Server proxy integration. Structure & purpose: - CVE-2026-21962.py: Standalone Python exploit that iterates through common proxy plug-in base paths (/weblogic/, /wl_proxy/, /bea_wls_internal/, /_proxy/, /proxy/) and appends a crafted traversal-like URI '/weblogic/..;/bea_wls_internal/ProxyServlet'. It sends a GET request with multiple proxy-related headers (WL-Proxy-Client-IP, Proxy-Client-IP, X-Forwarded-For) containing a base64-encoded payload 'cmd:<user command>' prefixed by '127.0.0.1;'. It treats HTTP 200/302/500 as likely success and prints up to 1500 chars of response body as potential command output. - CVE-2026-21962.yaml: Nuclei template to detect (and effectively exercise) the issue by requesting several candidate paths ending in '/..;/bea_wls_internal/ProxyServlet' and injecting a base64-encoded 'cmd:<rand> && whoami' into the same headers. Matchers look for status codes (200/302/500), non-empty body, and common identity strings (root/nobody/oracle/weblogic) to infer exploitation. - README.md: Usage instructions and example payloads (including reverse shell and PowerShell download cradle), plus affected versions and patch guidance. Main exploit capabilities: - Remote, unauthenticated command execution over HTTP(S) by abusing proxy plug-in header handling combined with a special ProxyServlet URI. - Supports arbitrary operator-supplied commands (Python PoC) and basic verification command execution (Nuclei template uses whoami). Notable implementation details: - Uses requests with verify=False (TLS cert validation disabled) and allow_redirects=False. - Payload is base64-encoded to attempt filter/WAF bypass. - No built-in interactive shell management; reverse shells are suggested via user-provided command strings.